I have a FreeBSD server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my login password as I type it.

FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.

I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd) but I'm not certain on the details.

If you lost the list of OTPs, wouldn't you know this and change your opie password?
– Chris SAug 26 '10 at 20:33

@Chris S: that assumes you can log in to the server from wherever you are without having your OTP list.
– Greg HewgillAug 26 '10 at 20:45

Considering OPIE hasn't been updated in almost 16 years, I'm sure it was an oversight at the time; I don't know of a way to do what you're asking, but it definitely sounds like a really good idea that should be implemented. My smart@ss answer to being able to login from almost everywhere: consider getting a smart phone with PocketPutty or a similar app.
– Chris SAug 26 '10 at 20:55

That would expose his actual password; the question specifically said "except not my usual login password"
– Chris SSep 10 '10 at 3:59

Ah, I missed that! Then he needs a pam module which uses a static second password with ssh-kbdint. Unfortunately I don't know of anyone who has written such a module, but it isn't very hard as you can use ssh_auth and modify it to use another password file.
– MartinSep 11 '10 at 4:52